Keep patches up to date by installing them weekly or daily, if possible,
to prevent buffer overflow and privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often
4. Control physical access to systems.
5.
Mitigating Network Attacks
Avoid unnecessary web page inputs.
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software such as firewalls, IPSs,
virtual private network (VPN) devices, anti-virus software, and content
filtering.
10. Develop a written security policy for the company.
75 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 934 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 1: Modern network security threats, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Chapter 1 – Modern Network Security
Threats
CCNA Security
Objectives
•
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Fundamental Principles of a
Secure network
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
• In July 2001, the Code Red worm attacked web servers globally,
infecting over 350,000 hosts.
• The Code Red worm caused a Denial of Service (DoS) to millions
of users.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
• When the first viruses were unleashed and the first DoS attack
occurred, the world began to change for networking professionals.
• To meet the needs of users, network professionals learned
techniques to secure networks.
• Refer to 1.1.1.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
Year Security Technology
1984 First IDS for ARPAnet (SRI
International IDES)
Late 1988 DEC Packet Filter Firewall
1989 AT&T Bell Labs Statefull Firewall
1991 DEC SEAL Application Layer
Firewal
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
1994 Check Point Firewall
1995 NetRanger IDS
August, 1997 RealSecure IDS
1998 Snort IDS
Late 1999 First IPS
2006 Cisco Zone-based Policy Firewal
2010 Cisco Security Intelligence
Operations
Evolution of Network Security
• An IDS provides real-time detection of certain types of
attacks while they are in progress
• This detection allows network professionals to more quickly
mitigate the negative impact of these attacks on network
devices and users.
• In the late 1990s, the intrusion prevention system or sensor
(IPS) began to replace the IDS solution.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• IPS devices enable the detection of malicious activity and
have the ability to automatically block the attack in real-time.
• In addition to IDS and IPS solutions, firewalls were developed
to prevent undesirable traffic from entering prescribed areas
within a network, thereby providing perimeter security.
Evolution of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Internal threats fall into two categories: spoofing
and DoS
Evolution of Network Security
Evolution of LAN Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Evolution of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Three components of information: confidentiality, integrity,
availability.
• Encrypting Data: Encryption provides confidentiality by hiding plaintext
data.
• Data integrity: data is not changed from source to destination
• Availability: Data accessibility, is guaranteed by network hardening
mechanisms and backup systems
Evolution of Network Security
Evulution of Data Protection Technologies
Year Security Technology
1993 Cisco GRE Tunnels
1996 Site-to-Site IPSec VPNs
1999 SSH
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
2000 MPLS VPNs
2001 Remote-access IPSec VPN
2002 Dynamic Multipoint VPN
2005 SSL VPN
2010 Group Encrypted Transport VPN
(GET VPN)
Drivers for Network Security
• The word hackers has a variety of
meanings.
• For many, it means Internet programmers
who try to gain unauthorized access to
devices on the Internet.
• It is also used to refer to individuals that run
programs to prevent or slow network
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
access to a large number of users, or
corrupt or wipe out data on servers.
• But for some, the term hacker has a positive
interpretation as a network professional that
uses sophisticated Internet programming
skills to ensure that networks are not
vulnerable to attack.
Good or bad, hacking is a driving force in network
security.
Drivers for Network Security
Refer
to
1.1.2.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Hacking started in the 1960s with phone freaking, or phreaking, which refers to
using various audio frequencies to manipulate phone systems.
• Wardialing programs automatically scanned telephone numbers within a local area,
dialing each one in search of computers, bulletin board systems, and fax machines
• When a phone number was found, password-cracking programs were used to gain
access.
• Wardriving, users gain unauthorized access to networks via wireless access points.
• A number of other threats have evolved since the 1960s, including network
scanning tools such as Nmap and SATAN, as well as remote system
administration hacking tools such as Back Orifice.
Drivers for Network Security
• What is the job of a network security professional ?
1. To stay one step ahead of the hackers by
• attending training and workshops,
• participating in security organizations,
• subscribing to real-time feeds regarding threats,
2. Have access to state-of-the art security tools,
protocols, techniques, and technologies.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• and perusing security websites on a daily
basis.
3. Always remain aware of malicious activities and
have the skills and tools to minimize or eliminate
the threats associated with those activities.
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
This virus resulted in memory overflows in Internet mail
servers.
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Robert Morris created the first
Internet worm with 99 lines of
code.
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Drivers for Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Organizations
• SysAdmin, Audit, Network, Security (SANS) Institute
• Computer Emergency Response Team (CERT)
• International Information Systems Security Certification Consortium
(pronounce (ISC)2 as "I-S-C-squared")
Network security
professionals must
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
collaborate with
professional colleagues
more frequently than
most other professions.
Network Security Organizations
• SANS was established in 1989 as a cooperative research and
education organization.
• The focus of SANS is information security training and certification.
• SANS develops security courses that can be taken to prepare for
Global Information Assurance Certification (GIAC) in auditing,
management, operations, legal issues, security administration, and
software security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Organizations
• CERT is part of the U.S. federally funded Software Engineering Institute
(SEI) at Carnegie Mellon University.
• CERT is chartered to work with the Internet community in detecting and
resolving computer security incidents.
• CERT responds to major security incidents and analyzes product
vulnerabilities.
• CERT focuses on 5 areas: software assurance, secure systems,
organizational security, coordinated response, and education and
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
training.
Network Security Organizations
• (ISC)2 provides vendor-neutral education products and career services in
more than 135 countries
• The mission of (ISC)2 is to make the cyber world a safe place through
elevating information security to the public domain and supporting and
developing information security professionals around the world.
• Detail: 1.1.3.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Organizations
• In addition to the websites of the various security
organizations, one of the most useful tools for the
network security professional is Really Simple
Syndication (RSS) feeds.
• RSS is a family of XML-based formats used to
publish frequently updated information, such as blog
entries, news headlines, audio, and video
•
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
RSS uses a standardized format. An RSS feed
includes complete or summarized text, plus
metadata, such as publishing dates and
authorships..
• By using RSS, a network security professional can
acquire up-to-date information on a daily basis and
aggregate real-time threat information for review at
any time.
Domains of Network Security
Domains of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer: 1.1.4.1
Domains of Network Security
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Domains of Network Security
The 12 domains of network security provide a convenient separation for the
elements of network security.
One of the most important domains is security policy.
“ A security policy is a formal statement of the rules by which
people must abide who are given access to the technology and
information assets of an organization “
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
The policy is used to aid in network design, convey security principles, and
facilitate network deployments.
The network security policy outlines rules for network access, determines how
policies are enforced, and describes the basic architecture of the organization's
network security environment.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
A Cisco Self-Defending Network (SDN) uses the network to identify, prevent, and adapt
to threats.
Unlike point-solution strategies, where products are purchased individually without
consideration for which products work best together, a network-based approach is a
strategic approach that meets the current challenges and evolves to address new security
needs.
A Cisco SDN begins with a strong, secure, flexible network platform from which a
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
security solution is built.
Network Security Policies
Refer to 1.1.5.2
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
Detail: 1.1.5.3
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Network Security Policies
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
A security policy is a "living document,"
meaning that the document is never
finished and is continuously updated as
technology, business, and employee
requirements change.
Viruses, Worms, and
Trojan Horses
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Viruses
• A virus is malicious software which attaches to another program to
execute a specific unwanted function on a computer.
• A worm executes arbitrary code and installs copies of itself in the
memory of the infected computer, which then infects other hosts.
• A Trojan Horse is an application written to look like something
else. When a Trojan Horse is downloaded and opened, it attacks
the end-user computer from within.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Refer: 1.2.1.1
Viruses
• The term virus refers to an infectious organism that
requires a host cell to grow and replicate.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Viruses
• A virus is a malicious code that is attached to legitimate programs or
executable files.
• Most viruses require end-user activation and can lay dormant for an
extended period and then activate at a specific time or date.
• When activated, the virus might check the disk for other executables, so
that it can infect all the files it has not yet infected.
• Today, most viruses are spread by USB memory sticks, CDs, DVDs,
network shares, or email. Email viruses are now the most common type of
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
virus.
Worms
• Worms are a particularly dangerous type of hostile code.
• They replicate themselves by independently exploiting vulnerabilities in
networks.
• Worms usually slow down networks.
• Worms are responsible for some of the most devastating attacks on the
Internet.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Worms
• Most worm attacks have three major components:
– Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse) on a
vulnerable system.
– Propagation mechanism - After gaining access to a device, the worm
replicates itself and locates new targets.
– Payload - Any malicious code that results in some action. Most often
this is used to create a backdoor to the infected host.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Worms are self-contained programs that attack a system to exploit a known
vulnerability.
• Refer to 1.2.2.2
Worms
• There are five basic phases of attack, regardless of whether a worm or
virus is deployed.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Trojan Horses
• A Trojan Horse in the world of computing is
malware that carries out malicious
operations under the guise of a desired
function.
• A virus or worm could carry a Trojan Horse.
• A Trojan Horse contains hidden, malicious
code that exploits the privileges of the user
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
that runs it.
• The Trojan Horse concept is flexible.
• It can cause immediate damage, provide
remote access to the system (a back door),
or perform actions as instructed remotely,
such as "send me the password file once
per week.“
Trojan Horses
• Trojan Horses are usually classified according to the damage that they cause or
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
the manner in which they breach a system:
– Remote-access Trojan Horse (enables unauthorized remote access)
– Data sending Trojan Horse (provides the attacker with sensitive data such as
passwords)
– Destructive Trojan Horse (corrupts or deletes files)
– Proxy Trojan Horse (user's computer functions as a proxy server)
– FTP Trojan Horse (opens port 21)
– Security software disabler Trojan Horse (stops anti-virus programs or firewalls
from functioning)
– Denial of Service Trojan Horse (slows or halts network activity)
Mitigating Viruses, Worms, Trojan Horses
• A majority of the software vulnerabilities that are discovered relate
to buffer overflows.
• A buffer is an allocated area of memory used by processes to store
data temporarily.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Viruses, Worms, Trojan Horses
Mitigating Viruses and Trojan
• The primary means of mitigating virus and Trojan horse attacks is
anti-virus software.
• Anti-virus products are host-based.
• These products are installed on computers and servers to detect
and eliminate viruses.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Viruses, Worms, Trojan Horses
Mitigating Worms
• The containment phase involves limiting the spread of a worm infection
to areas of the network that are already affected.
• The inoculation phase runs parallel to or subsequent to the
containment phase.
• The quarantine phase involves tracking down and identifying infected
machines within the contained areas and disconnecting, blocking, or
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
removing them.
• During the treatment phase, actively infected systems are disinfected
of the worm
Mitigating Viruses, Worms, Trojan Horses
• In the case of the SQL Slammer worm, malicious traffic was
detected on UDP port 1434.
• This port should normally be blocked by a firewall on the perimeter.
• Some organizations could not block UDP port 1434 because it was
required to access the SQL Server for legitimate business
transactions.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Viruses, Worms, Trojan Horses
• Cisco Security Agent (CSA) is a host-based intrusion prevention system
that can be integrated with anti-virus software from various vendors.
• Another solution for mitigating threats is Cisco Network Admission Control
(NAC).
• Cisco Security Monitoring, Analysis, and Response System (MARS)
provides security monitoring for network security devices and host
applications created by Cisco and other providers
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Attack
Methodologies
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Type of attacks
• There are many different types of network attacks other than viruses,
worms, and Trojan Horses:
Refer: 1.3.1.1
• Reconnaissance Attacks
– Reconnaissance attacks involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
– Reconnaissance is analogous to a thief surveying a neighborhood for
vulnerable homes to break into, such as an unoccupied residence or a
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
house with an easy-to-open door or window.
• Access Attacks
– Access attacks exploit known vulnerabilities in authentication services,
FTP services, and web services to gain entry to web accounts,
confidential databases, and other sensitive information.
• Denial of Service Attacks
– Denial of service attacks send extremely large numbers of requests
over a network or the Internet
Reconnaissance Attacks
• Reconnaissance is also known as information gathering and, in most
cases, precedes an access or DoS attack.
• In a reconnaissance attack, the malicious intruder typically begins by
conducting a ping sweep of the target network to determine which IP
addresses are active.
• Reconnaissance attacks use various tools to gain access to a network:
– Packet sniffers
– Ping sweeps
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
– Port scans
– Internet information queries
Refer: 1.3.1.2
Reconnaissance Attacks
• A packet sniffer is a software application that uses a network adapter card
in promiscuous mode to capture all network packets that are sent across a
LAN.
• Packet sniffers can only work in the same collision domain as the network
being attacked, unless the attacker has access to the intermediary
switches.
• Numerous freeware and shareware packet sniffers, such as Wireshark, are
available and do not require the user to understand anything about the
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
underlying protocols.
• Refer: 1.3.1.3
Reconnaissance Attacks
• Refer: 1.3.1.4
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Reconnaissance Attacks
• Keep in mind that reconnaissance attacks are typically the precursor to
further attacks with the intention of gaining unauthorized access to a
network or disrupting network functionality.
• A network security professional can detect when a reconnaissance attack
is underway by configured alarms that are triggered when certain
parameters are exceeded, such as ICMP requests per second.
• A Cisco ISR supports the security technologies that enable these types of
alarms to be triggered.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• Host-based intrusion prevention systems and standalone network-based
intrusion detection systems can also be used to notify when a
reconnaissance attack is occurring.
Access Attacks
• Hackers use access attacks on networks or systems for three reasons:
retrieve data, gain access, and escalate access privileges.
• Access attacks often employ password attacks to guess system
passwords.
• Password attacks can be implemented using several methods, including
brute-force attacks, Trojan Horse programs, IP spoofing, and packet
sniffers
• A brute-force attack is often performed using a program that runs across
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
the network and attempts to log in to a shared resource, such as a server.
• Refer: 1.3.2.1
Access Attacks
• There are five types of access attacks:
• An attacker attempts to guess system passwords.
Password attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• Refer: 1.3.2.2
• An attacker uses privileges granted to a system in an unauthorized way
Trust exploitation
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• A compromised system is used as a jump-off point for attacks against
other targets
Port redirection
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• An attacker is positioned in the middle of communications between two
legitimate entities in order to read or modify the data that passes between
the two parties.
Man-in-the-middle attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• A program writes data beyond the allocated buffer memory.
• A result of the overflow is that valid data is overwritten or exploited to
enable the execution of malicious code.
Buffer overflow
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Access Attacks
• Access attacks in general can be detected by reviewing logs, bandwidth
utilization, and process loads.
• Example: ManageEngine EventLog Analyzer or Cisco Secure Access
Control Server (CSACS)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
Refer: 1.3.3.1
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• A DoS attack is a network attack that devices can not provide service for
user because of overflow buffer or CPU and so on.
• There are two major reasons a DoS attack occurs:
– A host or application fails to handle an unexpected condition, such as
maliciously formatted input data, an unexpected interaction of system
components, or simple resource exhaustion.
– A network, host, or application is unable to handle an enormous
quantity of data, causing the system to crash or become extremely
slow.
Denial of Service Attacks
• Refer: 1.3.3.2
DoS attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• Refer: 1.3.3.2
A Distributed Denial of Service Attack (DDoS)
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• Ping of Death
– In a ping of death attack, a hacker sends an echo request in an IP
packet larger than the maximum packet size of 65,535 bytes.
– Sending a ping of this size can crash the target computer.
– A variant of this attack is to crash a system by sending ICMP
fragments, which fill the reassembly buffers of the target.
• Refer: 1.3.3.3:
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• Smurf Attack
– In a smurf attack, a perpetrator sends a large number of ICMP requests
to directed broadcast addresses, all with spoofed source addresses on
the same network as the respective directed broadcast.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
• TCP SYN Flood
– In a TCP SYN flood attack, a flood of TCP SYN packets is sent, often
with a forged sender address.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Denial of Service Attacks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
There are five basic ways that DoS attacks can do harm:
1. Consumption of resources, such as bandwidth, disk space, or processor
time
2. Disruption of configuration information, such as routing information
3. Disruption of state information, such as unsolicited resetting of TCP
sessions
4. Disruption of physical network components
5. Obstruction of communication between the victim and others.
Mitigating Network Attacks
The important question is, 'How do I mitigate
these network attacks?'
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Mitigating Reconnaissance Attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Mitigating Access Attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Mitigating DoS Attack
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
10 best practices represent the best insurance for network:
1. Keep patches up to date by installing them weekly or daily, if possible,
to prevent buffer overflow and privilege escalation attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often
4. Control physical access to systems.
5.
Mitigating Network Attacks
Avoid unnecessary web page inputs.
6. Perform backups and test the backed up files on a regular basis.
7. Educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.
8. Encrypt and password-protect sensitive data.
9. Implement security hardware and software such as firewalls, IPSs,
virtual private network (VPN) devices, anti-virus software, and content
filtering.
10. Develop a written security policy for the company.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Mitigating Network Attacks
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Summary
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- ccna_security_chapter_1_modern_network_security_threats_3389_1132.pdf